Advisories
Please read our Vulnerability Disclosure Policy.
Full TextDD-WRT SSID Script Injection Vulnerability
Jul 28, 2008
DD-WRT is a third party developed firmware released under the terms of the GPL for many ieee802.11a/b/g/h/n wireless routers based on a Broadcom or Atheros chip reference design. As a result of the research conducted to produce the paper Behind Enemy Lines it was discovered that the DD-WRT administrative web interface is vulnerable to a SSID script injection attack. An attack could be crafted that could allow remote attackers to fully compromise the device. To resolve this vulnerability it is recommended that the software be upgraded to the latest available version.
pfSense DHCP Script Injection Vulnerability
Jul 28, 2008
pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. As a result of the research conducted to produce the paper Behind Enemy Lines it was discovered that the pfSense firewall 1.0.1 administrative web interface is vulnerable to a DHCP script injection attack. An attack could be crafted to execute commands on the target system with root privileges through the exec.php script provided by the administrative web interface. To resolve this vulnerability it is recommended that the software be upgraded to the latest available version.
IBM Lotus Domino "Accept Language" Stack Overflow Advisory
May 20, 2008
MWR InfoSecurity published an advisory today relating to a stack based buffer overflow vulnerability in IBM Lotus Domino Web Server which can be exploited remotely.
The vulnerability would enable an attacker to execute arbitrary code on the system in the majority of installations this will be with local SYSTEM privileges.
Users should upgrade to the latest secure version of the product by applying the appropriate vendor provided security fix. The versions not affected by this issue are Lotus Domino 7.0.3 FixPack 1 (FP1) and 8.0.1. Information about the location of updated packages can be discovered at the following location: http://www.ibm.com/support/docview.wss?rs=463&uid=swg21303057
National Rail Live Enquiries Departure Board Gadget Vulnerability
Apr 24, 2008
The National Rail Live Departure Board gadget has been identified as being vulnerable to a script injection attack that could potentially allow remote attackers to execute commands on the target system. An attacker successfully exploiting this vulnerability could execute arbitrary commands in the context of the current logged in user.
The National Rail Live Departure Board Sidebar gadget vulnerability is present because of a lack of sufficient sanitisation on arguments passed from the web server to the Sidebar gadget application.
The vendor has addressed this vulnerability and implemented a fix in version 1.1. This version has yet to be tested.
National Rail Live Enquiries Departure Board Gadget upgrade can be found in the following location:- http://gallery.live.com/LiveItemDetail.aspx?li=aef90e44-18cf-4246-b1d9-4ab83e0e13db
IBM Informix Pre-Authentication Stack Overflow
Apr 15, 2008
An advisory has been released today by MWR InfoSecurity relating to a Pre-authentication stack overflow in IBM Informix.
The IBM Informix Database service is vulnerable to a stack based buffer overflow which can be exploited remotely before the authentication has been completed.
The vulnerability would enable an attacker to execute arbitrary code on the system with the privileges of the Informix user. By default, this account is a member of the administrators group on a Microsoft Windows system.
The code responsible for parsing the parameters within the first packet of the protocol handshake does not validate the number of arguments it accepts. This results in the ability to overflow a stack buffer which in turn allows arbitrary code to be executed.
The vendor has released updates to resolve this issue, please refer to the following links. http://www-1.ibm.com/support/search.wss?rs=0&q=IC55223&apar=only. http://www-1.ibm.com/support/search.wss?rs=0&q=IC55223&apar=only. http://www-1.ibm.com/support/search.wss?rs=0&q=IC55223&apar=only.